tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Anyway to enable just all TLS protocols in APR connector?
Date Sat, 18 Oct 2014 00:57:50 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Jeffrey,

On 10/17/14 4:20 PM, Jeffrey Janner wrote:
>> -----Original Message----- From: Jeffrey Janner
>> [mailto:Jeffrey.Janner@PolyDyne.com] Sent: Friday, October 17,
>> 2014 3:04 PM To: 'Tomcat Users List' Subject: RE: Anyway to
>> enable just all TLS protocols in APR connector?
>> 
>>> -----Original Message----- From: Christopher Schultz
>>> [mailto:chris@christopherschultz.net] Sent: Friday, October 17,
>>> 2014 12:26 PM To: Tomcat Users List Subject: Re: Anyway to
>>> enable just all TLS protocols in APR connector?
>>> 
> Jeffrey,
> 
> On 10/17/14 1:12 PM, Jeffrey Janner wrote:
>>>>> Documentation for the APR connector says setting
>>>>> SSLProtocol="all" (the default) enables TLSv1+SSLv3, but
>>>>> actually enables TLSv1.1 and TLSv1.2 as well.
> 
> Why do you think that's the case?
>>> 
>>> Qualys/SSLLabs reports it as such.  Using tomcat 7.0.50 and
>>> latest APR build.
>>> 
> 
>>>>> However, it only seems to accept SSLProtocol strings that
>>>>> includes TLSv1, SSLv2, SSLv3 or their combinations.
> 
> Correct. Patches are in the works. Tomcat 7 and Tomcat 8 are
> patched; expect new builds soon.
> 
>>>>> In other words, there doesn't seem to be a way to specify
>>>>> that you only want all 3 TLS versions and none of the SSL
>>>>> versions. Is there something I'm missing?
> 
> Nope.
> 
>>>>> FYI: I checked Bugzilla on this, and there seems to be some
>>>>> work progressing on coding support, but it also interjected
>>>>> a regression to turn SSLv2 back on by default.
> 
> This can happen in certain situations, like saying that you want 
> TLSvX+SSLv3 but no TLS versions are supported by OpenSSL. In that 
> case, you get SSLv23 which I believe in OpenSSL means "SSLv3 + 
> SSLv2Hello" which is only as dangerous as SSLv3 right now.
>>> 
>>> Actually, I was looking at the most recent patch code. It
>>> actually modified to definition of ALL to include SSLv2. I
>>> pointed it out on Bugzilla, but thought I'd mention it here as
>>> well.
>>> 
> 
>> Chris, when I said most recent, I meant latest posted to the
>> Bugzilla entry when I read it. Just reviewed it again and see
>> that's not the patch you guys are implementing.

Can you check tcnative 1.1.x branch in subversion and Tomcat 7 or 8 in
subversion and let me know how they work for you (or don't)? No reason
to wait until there is an official build for testing.

>>>>> The question is, if there is no current "magic string" that
>>>>> Tomcat will accept to enable full TLS support, is this
>>>>> something we will have to wait for 7.0.57 (and the
>>>>> equivalent 6 & 8 versions) to be able to address?
> 
> Unfortunately, yes. You'll also need to wait for tcnative 1.1.32 as
> well.
>>> 
>>> With baited breath, but not holding it.

It should be coming soon. I think markt is going to single-handedly
tag+release 3 Tomcat versions plus tcnative on all platforms. ;)

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUQbsOAAoJEBzwKT+lPKRY29gQAJSfQVB6TsOE525cBujaq8y9
44YUPvjt5zruLiqfdQ7+vyRuEqXlpv7YbFS/wjsc88utmwX0zi/Fqm0NKPljoiV0
7PtIcqiNvOCrNW85aS1W7R9lg6ZkWnSvKrXRw/Dm4gb8X+FAuFOecg/kiWVW0qsj
nGr8+MBDVFvWcqwtFhuuQ4Y4Kz4sgaJez9AE1f9QGnYGqck3P7Q9zhJDUYI0lMGv
NDaG/MQ5B1ZsZR7iIui5MYclJUiTNPgMGX5Sixl23w//mXpAH6h80+Rn4rK5+PTi
SwmC2QVpSsed4pxQM1bQdtqg77mDfqMG1kGfeRGwRNQvMIi/q1FDk/rAfrV6wXKK
Ayf+/2ihPl1wuKiguNgCWgae1yceHoTIv4mQQtz5Jp6HDjElmw73cf7mEa0DhYp5
YKdANYoFip1fS0+YEbmKVEkFWCYeSgxml8Vlvlw4X52FOwWoP/FA7+kXxq1DLkqq
qK+gEFF+0CkF1DoGENn9sqUsjYfcmKowmDBfXMHCz6ETMIWgnS96HnDh9OS+IUmk
HNonOr3WLSTGlsYZLnO945IQe+KLxQ6SBxYphBK1uCwo7ds5MNgDrLvBntbBerWZ
NFbSuNmJb9Ky2i+YPQopM623zrVdmbinM/pmtZUZUfKMv8zKWX7jllinXoL5dqf5
I7PHb1LBweRF69cWqMtQ
=alzf
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message